From b399168e3fa44c7ae14bd1a81b9817d66d08421d Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Fri, 23 May 2014 14:39:30 +0200
Subject: [PATCH] Bug 1009957 - Suppress GC during bailouts. r=nbp

---
 js/src/jit/Bailouts.cpp         | 6 ++++++
 js/src/jit/BaselineBailouts.cpp | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/js/src/jit/Bailouts.cpp b/js/src/jit/Bailouts.cpp
index 9ffd825eec21..9e35bfddc74b 100644
--- a/js/src/jit/Bailouts.cpp
+++ b/js/src/jit/Bailouts.cpp
@@ -76,6 +76,8 @@ jit::Bailout(BailoutStack *sp, BaselineBailoutInfo **bailoutInfo)
 
     // We don't have an exit frame.
     cx->mainThread().jitTop = nullptr;
+    gc::AutoSuppressGC suppress(cx);
+
     JitActivationIterator jitActivations(cx->runtime());
     IonBailoutIterator iter(jitActivations, sp);
     JitActivation *activation = jitActivations->asJit();
@@ -110,6 +112,8 @@ jit::InvalidationBailout(InvalidationBailoutStack *sp, size_t *frameSizeOut,
 
     // We don't have an exit frame.
     cx->mainThread().jitTop = nullptr;
+    gc::AutoSuppressGC suppress(cx);
+
     JitActivationIterator jitActivations(cx->runtime());
     IonBailoutIterator iter(jitActivations, sp);
     JitActivation *activation = jitActivations->asJit();
@@ -178,6 +182,8 @@ jit::ExceptionHandlerBailout(JSContext *cx, const InlineFrameIterator &frame,
     MOZ_ASSERT_IF(!excInfo.propagatingIonExceptionForDebugMode(), cx->isExceptionPending());
 
     cx->mainThread().jitTop = nullptr;
+    gc::AutoSuppressGC suppress(cx);
+
     JitActivationIterator jitActivations(cx->runtime());
     IonBailoutIterator iter(jitActivations, frame.frame());
     JitActivation *activation = jitActivations->asJit();
diff --git a/js/src/jit/BaselineBailouts.cpp b/js/src/jit/BaselineBailouts.cpp
index 8453ababdbe7..2e4cc7e23896 100644
--- a/js/src/jit/BaselineBailouts.cpp
+++ b/js/src/jit/BaselineBailouts.cpp
@@ -1262,6 +1262,10 @@ jit::BailoutIonToBaseline(JSContext *cx, JitActivation *activation, IonBailoutIt
                           bool invalidate, BaselineBailoutInfo **bailoutInfo,
                           const ExceptionBailoutInfo *excInfo)
 {
+    // The Baseline frames we will reconstruct on the heap are not rooted, so GC
+    // must be suppressed here.
+    JS_ASSERT(cx->mainThread().suppressGC);
+
     JS_ASSERT(bailoutInfo != nullptr);
     JS_ASSERT(*bailoutInfo == nullptr);